In our last post in this series, we defined social engineering and talked about how social engineers can use techniques like impersonation, phishing, smishing, and vishing to mount or complete an attack against you. If you missed that article, you can click here to read through it or check out the video summary below.
In this post, we are going to explore a different way an attacker might collect information they can use against you: the information you share on social media. We often think of cyber-crime as something that occurs primarily with the aid of elite hackers, hiding out in dark rooms, slowly chopping their way through the digital wilderness to pick the locks on our secrets, but you may be surprised to learn that hackers often need not look past public data on social media accounts to compromise an identity. To get started, let’s take a look at some of the information your social media accounts might be sharing about you:
What Might Social Media Share?
Facebook is, indisputably, the king of social networks. As of September 30, 2018, Facebook touted 2.27 Billion monthly active users. On top of this massive user base, Facebook invites users to share a wealth of personal information far beyond the scope of services like Twitter, Pinterest, or LinkedIn. For these reasons, we are going to consider public data in social media through the lens of what Facebook will allow. Other social media platforms might allow less information or slightly different information to be shared, but Facebook allows users to document and disseminate such a large portion of their identity that, for the purposes of this discussion, it really is the standard bearer for self-disclosure. If you’re having difficulty thinking of all the information Facebook will allow you to share publicly, here’s a short recap:
- Name
- Contact information (phone, e-mail, address, & other social media)
- Personal websites
- Current and past places of residence
- Past places visited
- Current and previous employers
- Education and institutions attended
- Birth date
- Family members and friends
- Personal interests
- Photos, wall posts, and things you are tagged in
- Relationship status and current partner
- Major life events (new jobs, new relationships, start/completion of education)
- Religious and political views
Why Does It Matter?
Out of the box, Facebook will allow you to share information with the entire world that you wouldn’t be willing to share with strangers on a train, but many people never stop to consider how this information can be used by malicious actors. The information above can be used by a malicious actor to steal an identity, research relationships for another target, or to gather information for blackmail or harassment. Protecting your personal information on social media is essential to protecting your identity and your financial security.
Using information found on social media, an attacker might be able to gather enough information to send you targeted phishing attacks in order to gather “out of wallet” information or personally identifiable information not found on social media like your social security number or account numbers. Making large amounts of information public increases risk exposure: by providing more information, you reduce the work a social engineer has to do to compromise your identity or personal accounts. If you share too much online, you dramatically increase the likelihood that your information is used against you or others close to you.
Protecting Your Information
It should be clear now that social networking sites can capture and share a tremendous amount of information just from your profile, uploaded content, and shared posts. So what can you do to protect your information? Here are a few tips that can help keep you safe online:
Do This:
- Be aware of the personal information you share on social media
- Use privacy settings to limit who can see your information whenever possible
- Restrict shared content only to close, trusted contacts when you can
- Always assume everything you put on the Internet could be accessible to anyone and everyone now or in the future
- We’ve written about it before, but if you’re not using Two Factor Authentication (2FA) the best time to enable it is now
Don’t Do This:
- Post out of wallet information used to verify your identity with other companies or services; stolen out of wallet responses can be used to take over your accounts elsewhere — if your dog’s name is one of your security questions, keep it a secret!
- Assume an account is owned or used by whoever it appears to be; accounts can be faked or stolen at any point, always confirm the identity of the account holder before sharing personal information
- Send money to someone without confirming directly with them that they requested it; stolen accounts often request money for reasons that seem reasonable at the time
- Share information that could be harmful if the recipient’s account is compromised; remember, not everyone will be as careful as you and any information you share could end up in someone else’s (or everyone else’s) hands
- Assume anything can or will ever be deleted from the Internet – once posted online, it is nearly impossible to get it back
- Post personally identifiable information online
Share Your Thoughts: